Bug 116067

Summary: CSP: Redirects in DocumentThreadableLoader should respect the active policy
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ap, beidson, bfulgham, dbates
Priority: P2 Keywords: BlinkMergeCandidate
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Ryosuke Niwa 2013-05-13 16:03:47 PDT 
We should probably merge
https://chromium.googlesource.com/chromium/blink/+/2853f594838e8bf24813482ad02f87853cae4366

CSP: Redirects in DocumentThreadableLoader should respect the active policy.

Canary currently fails test 150[1] and 156[2] of Erlend Oftedal's "CSP Testing"
checks[3]. Both fail because we currently only check the URL to which an XHR
connects during 'xhr.open()'. This patch adjusts the checks happening inside
DocumentThreadableLoader::redirectReceived in order to verify that the URL to
which we've been redirected passes through the page's Content Security Policy
as well.

[1]: http://csptesting.herokuapp.com/test/load/150
[2]: http://csptesting.herokuapp.com/test/load/156
[3]: http://csptesting.herokuapp.com/
Comment 1 Daniel Bates 2016-01-15 14:38:56 PST 

*** This bug has been marked as a duplicate of bug 69359 ***